9 No Research Exemptions in ECPA! Some trace collection permitted by: Consent of users or Provider exception (allowing network operators to monitor networks to defend them) Limitations Individual consent hard to get Blanket consent (e.g., as part of a network s terms of service) may provide little information about data collection, use Provider exception requires collaboration with operational IT staff

13 How ECPA Affects Cybersecurity Research (3) Activity: Sharing or publishing packet traces Relevant law: SCA Applies only to public service providers: commercial ISPs but not businesses Full-packet traces: disclosure prohibited without consent, subpoena Packet header traces: disclosure allowed unless given to governmental entity Much broader than law enforcement; hampers some public releases

17 Is the CFAA as Broad as It Sounds? Perhaps... United States v. Lori Drew (2009) Access means to obtain information from Authorization may be set by Terms of Service But U.S. Const. limits criminal application of CFAA in TOS breach cases. Insufficient clarity + arbitrary enforcement = unconstitutional vagueness

25 Ethical Trouble Spots for Network Research Is it HSR? Waiver of Informed Consent May be waived if impracticable to obtain Deception Minimal risk No adverse effect on subjects rights, welfare Non-deceptive research design impracticable

26 IRB Review: Easing the Pain Exemptions Studies of existing, publicly available data Studies of data recorded so that subjects cannot be identified, directly or through IDs Note: IRB decides whether research is exempt. Expedited review Research involves no more than minimal risk Allows quick(er) protocol approval

31 Software Analysis: Contract Issues EULAs typically prohibit reverse engineering, other processes that reveal vulnerabilities Courts usually enforce them but important issues remain unsettled: Pre-emption by patent law Tension with First Amendment

32 Software Analysis: DMCA Issues No person shall circumvent a technological measure that effectively controls access to a work protected by the Copyright Act But: courts, U.S. DOJ have found that the DMCA does not prohibit conducting research on or publishing papers about software vulnerabilities. Caveats: Publishing actual circumvention software might violate DMCA. Restrictions in EULAs still apply.

34 Resources Legal Information Institute (http://www.law.cornell.edu/) Open access to US Constitution, US Code Common Rule Go to select title 45, part 46. Samuelson Clinic at UC Berkeley School of Law (http://www.samulesonclinic.org/) Reforming the ECPA to Enable a Culture of Cybersecurity Research (http://jolt.law.harvard.edu/) In-depth analysis of applicable privacy laws and proposal for a research exception to the ECPA

Brochure More information from http://www.researchandmarkets.com/reports/2128523/ Information Security Law: Control of Digital Assets. Description: For most organizations, an effective information security

Acceptable Use Policy of UNWIRED Ltd. Acceptance of Terms Through Use This site provides you the ability to learn about UNWIRED and its products and services as well as the ability to access our network

Cablelynx provides a variety of Internet Services (the Services) to both residential and business customers (the Customer). Below, you will find the terms and conditions that you agree to by subscribing

FKCC AUP/LOCAL AUTHORITY The information contained in this section has its basis in Public Law 93.380. It is further enhanced however, by Florida State Board of Education Administrative Rule 6A-14.51 and

TERMS OF SERVICE IMPORTANT NOTICE: *All Payments to Orbit Cloud Inc are Non-Refundable* Orbit Cloud Inc. ("Orbit Cloud", "The Company") agrees to furnish services to the Subscriber, subject to the following

BUCKEYE EXPRESS HIGH SPEED INTERNET SERVICE ACCEPTABLE USE POLICY The Acceptable Use Policy ("the Policy") governs use of the Buckeye Express High Speed Internet Service ("the Service"). All subscribers

Acceptable Use Policy As a provider of Internet access, Internet email, web site hosting, and other Internet related services, Pottawatomie Telephone Company and MBO.net herein after referred to as "the

The Law of Web Application Hacking CanSecWest March 9, 2011 Marcia Hofmann, EFF what we ll talk about today Three situations you should recognize and approach with caution when you re doing security research

ACCEPTABLE USE POLICY OF BROADVOX, INC; BROADVOX, LLC; WWW.BROADVOX.COM; WWW.BROADVOX.NET (COLLECTIVELY BROADVOX ) 1. ACCEPTANCE OF TERMS THROUGH USE This website (the Site ) provides you (the Customer

April 4, 2012 Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills The chart below compares on civil liberties grounds four bills that seek to promote

CTC Acceptable Use Policy Consolidated Telephone Company doing business as Consolidated Telecommunications Company (CTC) has adopted this Acceptable Use Policy to encourage the use of its network and services

Acceptable Use Policy 1. General Interoute reserves the right to modify the Acceptable Use Policy ( AUP ) from time to time. Changes to this Acceptable Use Policy will be notified to Customer in accordance

1.0 Overview The purpose of this Policy is to detail the University s plans to effectively combat the unauthorized distribution of copyrighted material by users of the Information Technology Resources,

BUCKEYE EXPRESS HIGH SPEED INTERNET SERVICE ACCEPTABLE USE POLICY The Acceptable Use Policy ("the Policy") governs use of the Buckeye Express High Speed Internet Service ("the Service"). All subscribers

PRIVACY POLICY Mil y Un Consejos Network Version Date: April 15th 2010 GENERAL Mil y Un Consejos Network ( Company or we or us or our ) respects the privacy of its users ( user or you ) whether they use

This Acceptable Use Policy sets out the prohibited actions by a Registrant or User of every registered.bayern Domain Name. This Acceptable Use Policy forms part of the Registry Policies that apply to and

To view the complete Information and Security Policies and Procedures, log into the Intranet through the IRSC.edu website. Click on the Institutional Technology (IT) Department link, then the Information

GENOA, a QoL HEALTHCARE COMPANY GENOA ONLINE SYSTEM TERMS OF USE By using the Genoa Online system (the System ), you acknowledge and accept the following terms of use: This document details the terms of

Page 1 of 5 HTC Communications ACCEPTABLE USE POLICY FOR HIGH SPEED INTERNET SERVICE This Acceptable Use Policy ( AUP ) governs high speed Internet service provided to you by HTC Communications (together

CYBERCRIME AND THE LAW INTERNATIONAL LAW CYBERCRIME CONVENTION Convention on Cybercrime / Budapest Convention first international treaty seeking to address Internet and computer crime by harmonizing national

Privacy Statement At Glacier Club Cable TV we take your privacy seriously and we want you to know our policies. This Notice will give you an overview of those policies and how we will apply them in specific

Lending Clarity to Security Risk Definitions by Dave Piscitello and Greg Aaron In its Beijing Communiqué of 11 April 2013, the ICANN Government Advisory Committee (GAC) called on ICANN to have new gtld

TERMS OF SERVICE These terms of service and the documents referred to in them ( Terms ) govern your access to and use of our services, including our website teleportapp.co ( our site ), applications, buttons,

Top tips for improved network security Network security is beleaguered by malware, spam and security breaches. Some criminal, some malicious, some just annoying but all impeding the smooth running of a

TECHNOLOGY S INCREASING ROLE IN ANTI-FRAUD EFFORT ELECTRONIC DISCOVERY IN A CLOUD COMPUTING ENVIRONMENT Don t get lost in the cloud! This session will arm you with an understanding of the intricacies of

Virginia Commonwealth University Police Department NUMBER SECTION CHIEF OF POLICE EFFECTIVE REVIEW DATE 2 9 1/2013 2/2013 SUBJECT SOCIAL MEDIA GENERAL The department endorses the secure use of social media

Research Topics in the National Cyber Security Research Agenda Trust and Security for our Digital Life About this document: This document summarizes the research topics as identified in the National Cyber

April 17, 2015 The Honorable John Boehner The Honorable Nancy Pelosi Speaker of the House Democratic Leader United States House of Representatives United States House of Representatives H-232, U.S. Capitol

Electronic Communications: E-Mail, Voicemail, Telephones, Internet and Computers Key Points Put employees on notice through policies that they should have no expectation of privacy arising from their use

CSIS/DOJ Active Cyber Defense Experts Roundtable March 10, 2015 On March 10, 2015 the Center for Strategic and International Studies, in conjunction with the Cybersecurity Unit of the U.S. Department of

How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime sponsored by Introduction

focus on Medical Privacy June 2001 HIPAA and the Federal Privacy Standards for Health Information Overview On December 28, 2001, the Department of Health and Human Services ("HHS") published the long-awaited

TERMS AND CONDITIONS OF SERVICE IMPORTANT NOTICE: DDos Protected ("The Company") agrees to furnish services to the Subscriber, subject to the following TOS (Terms of Service). Use of DDos Protected services

City of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011 Purpose and Intent The City of Boston recognizes the importance

Acceptable Use Policy Revision date: 26/08/2013 Acceptable usage Policy for all Services As a provider of web site hosting and other Internet-related services, Corgi Tech Limited offers its customer (also

IDEAS ANONYMOUS WEBSITE TERMS AND CONDITONS OF USE 1 Introduction 1.1 These terms of use explain how you may use this website (the Site ). References in these terms to the Site include the following website

Acceptable Use Policy PLEASE READ THIS AGREEMENT CAREFULLY BEFORE ACCESSING THE SERVICE. BY ACCESSING THE SERVICE YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS BELOW. IF YOU DO NOT WISH TO BE BOUND

Responsible Use of Technology and Information Resources Introduction: The policies and guidelines outlined in this document apply to the entire Wagner College community: students, faculty, staff, alumni

GOSFIELD NORTH COMMUNICATIONS CO-OPERATIVE LIMITED ( GOSFIELD ) ACCEPTABLE USE POLICY 1. Introduction This acceptable use policy ("Policy") sets out the principles, terms and conditions that govern the

CLIENT VPN New York State Office Of Children & Family Services New York State Office of Children & Family Services (OCFS) Client Virtual Private Network (VPN) Access to the Human Services Enterprise Network

TH CONGRESS ST SESSION S. ll To codify mechanisms for enabling cybersecurity threat indicator sharing between private and government entities, as well as among private entities, to better protect information

Handbook on Conducting Research on Social-Networking Websites in California 1 Created by David Lee and Shane Witnov 2 Samuelson Law, Technology & Public Policy Clinic, UC Berkeley School of Law for The

SOFTWARE HOSTING AND SERVICES AGREEMENT IMPORTANT! PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SERVICES OR WEBSITE. The X2Engine.Com website (hereinafter Website ) is owned by, and the hosting

region16.net Acceptable Use Policy ( AUP ) Introduction By using service(s) provided by region16.net (including, but not necessarily limited to, Internet Services and videoconferencing), you agree to comply

ELECTRONIC SIGNATURE AGREEMENT 1. Agreement If you contract with us electronically or otherwise request documentation or disclosures electronically, you specifically consent and agree that we may provide

Introduction This Acceptable Use Policy (AUP) sets forth the terms and conditions for the use by a Registrant of any domain name registered in the top-level domain (TLD). This Acceptable Use Policy (AUP)

SOFTWARE HOSTING AND SERVICES AGREEMENT PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SERVICES OR WEBSITE. The SuiteCRM website (hereinafter Website ) is owned by, and the hosting and support services